xds: Remove empty-string SNI handling

becomeStar · becomeStar · commit 7fa58733bb2a · 2026-02-06T00:57:18.000+09:00
Remove handling that propagated an empty string as SNI when no SNI
conditions were met.

With the legacy authority-based fallback removed, omitting SNI is the
intended behavior under gRFC A101. Relying on an empty string as an
intermediate representation is unnecessary and couples behavior to an
internal detail.

This also removes a test that asserted the empty-string SNI, as it no
longer reflects a stable or observable contract.
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
@@ -222,8 +222,6 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       if (sniToUse.isEmpty()) {
         if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
           sniToUse = grpcHandler.getAuthority();
-        } else {
-          sniToUse = "";
         }
         autoSniSanValidationDoesNotApply = true;
       } else {
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
@@ -296,23 +296,6 @@ public void sniInClientSecurityHandler_autoHostSniIsFalse_usesSniFromUpstreamTls
     assertThat(clientSecurityHandler.getSni()).isEqualTo(SNI_IN_UTC);
   }
 
-  @Test
-  public void sniInClientSecurityHandler_noSniConditionsMet_omitsSni() {
-    Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
-        .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE,
-            CLIENT_PEM_FILE, CA_PEM_FILE, null, null, null, null, null);
-    UpstreamTlsContext upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContext(
-        "google_cloud_private_spiffe-client", true, "", false);
-    SslContextProviderSupplier sslContextProviderSupplier =
-        new SslContextProviderSupplier(upstreamTlsContext,
-            new TlsContextManagerImpl(bootstrapInfoForClient));
-
-    ClientSecurityHandler clientSecurityHandler =
-        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier, HOSTNAME);
-
-    assertThat(clientSecurityHandler.getSni()).isEqualTo("");
-  }
-
   @Test
   public void serverSecurityHandler_addLast()
       throws InterruptedException, TimeoutException, ExecutionException {

Original file line number	Diff line number	Diff line change
`@@ -222,8 +222,6 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {`
`222`	`222`	`if (sniToUse.isEmpty()) {`
`223`	`223`	`if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {`
`224`	`224`	`sniToUse = grpcHandler.getAuthority();`
`225`		`- } else {`
`226`		`- sniToUse = "";`
`227`	`225`	`}`
`228`	`226`	`autoSniSanValidationDoesNotApply = true;`
`229`	`227`	`} else {`